On Thu, 2017-03-23 at 12:39 -0400, Mathieu Gagné wrote: > On Thu, Mar 23, 2017 at 10:08 AM, <[email protected]> wrote: > > The nova libvirt driver provides support for ebtables-based port > > filtering (using libvirt's nwfilter) to prevent things like MAC, IP > > and/or ARP spoofing. I've been looking into deprecating this as > > part of > > the move to deprecate all things nova-network'y, but it appears > > that, > > in some scenarios, it is possible to use this feature with neutron. > > Isn't ARP spoofing support now part of Neutron, at least for > Linuxbridge mechanism? > https://review.openstack.org/#/c/196986/
Correct. In most cases, you'd have to explicitly disable the neutron variant if you wanted the nova one. It was suggested to me that not every neutron driver implements this feature and for these cases the nova one would be beneficial. However, from my understanding of the nova code, this feature only works with iptables- or OVS/IVS hybrid interfaces, which _do_ support this feature in neutron [1][2], and it would have to be an explicit action by the operator. > We do use the feature you mentioned but there is too much hack or > code > change you need to do to benefit from it. > Especially in our case as you can't use both Neutron network manager > (with security groups, allowed address pairs, etc.) and Nova iptables > driver to benefit from libvirt's nwfilter anti-ARP spoofing. > > We are still running Kilo and will be migrating to Mitaka which has > the ARP spoofing protection built-in in Neutron. So no, in our case, > I > don't see a reason to keep this feature around as you can get the > same > with Neutron port-security extension. OK, good to hear. Stephen [1] https://review.openstack.org/#/c/196986/ [2] https://review.openstack.org/#/c/171003/ _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
